Honey for Hackers: A Study of Attacks Targeting the Recent CVE-2026-21962 and Other Critical WebLogic Vulnerabilities on a High Interactive Oracle Honeypot

A high-interaction honeypot emulating an unpatched Oracle WebLogic Server (v14.1.1.0.0) recorded immediate and widespread exploitation attempts against the newly disclosed unauthenticated RCE CVE-2026-21962, plus continued scans targeting older critical WebLogic RCEs over a 12-day period (Jan 22–Feb 3, 2026). Attackers quickly weaponized the public exploit and used rented VPS (e.g., DigitalOcean, HOSTGLOBAL.PLUS), automated scanners (libredtail-http, Nmap NSE) and common techniques like path traversal and Java deserialization to gain RCE, underscoring urgent patching and layered defenses. #CVE-2026-21962 #OracleWebLogic

Keypoints

Immediate exploitation: first exploitation attempt of CVE-2026-21962 was observed on 2026-01-22 (same day as public exploit release), demonstrating rapid weaponization.
Multiple critical WebLogic RCEs targeted: honeypot logged attacks against CVE-2026-21962, CVE-2020-14882/14883, CVE-2020-2551, and CVE-2017-10271.
Attacker infrastructure: perpetrators predominantly used rented VPS from providers like DigitalOcean and HOSTGLOBAL.PLUS to conduct high-volume scans and exploits.
Techniques and payloads: attackers employed unauthenticated HTTP GET/POST to console endpoints, URL-encoded path traversal, and Java deserialization/MVEL payloads to execute OS commands.
Broad “spray and pray” activity: large volumes of generic web reconnaissance, path traversal, and unrelated exploit attempts (Hikvision, PHPUnit, command injection) were also observed.
Mitigations: immediate patching (prioritize CVE-2026-21962), restrict console exposure, disable/limit IIOP/T3/WLS-WSAT, deploy WAF/DPI rules, and enhance logging/alerting.

MITRE Techniques

[T1190 ] Exploit Public-Facing Application – Used to gain unauthenticated RCE against WebLogic console endpoints (‘HTTP GET requests to /_proxy//weblogic/..;/bea_wls_internal/ProxyServlet/wl_proxy//weblogic/..;/bea_wls_internal/ProxyServlet’).
[T1203 ] Exploitation for Client Execution – Java deserialization and MVEL payloads were used to execute code on the server (‘the payload uses Coherence MVEL to achieve remote code execution, attempting to read a command from a cmd HTTP header and execute it via java.lang.ProcessBuilder’).
[T1059 ] Command and Scripting Interpreter – Exploits attempted to run OS-level commands via shell interpreters (‘execute arbitrary operating system commands’ and attempts referencing ‘/bin/sh -c’ and ‘cmd.exe /c’).
[T1105 ] Ingress Tool Transfer – Post-exploitation techniques implied by attempts to retrieve or run tools using OS utilities (‘Sudden execution of suspicious OS commands (e.g., wget, curl, sh, cmd.exe)’).
[T1595 ] Active Scanning – High-volume automated reconnaissance and scanning activity was observed across many endpoints (‘Generic Web Recon attempts were the most frequent activity’).

Indicators of Compromise

[IP Address ] attacker sources observed – 67.213.118.179 (first CVE-2026-21962 attempt), 67.211.213.61 (CVE-2020-2551 probing), and other 10+ VPS-hosted IPs.
[Endpoint / URL path ] exploited vectors and probes – /_proxy//weblogic/..;/bea_wls_internal/ProxyServlet (CVE-2026-21962 vector), /console/images/%252e%252e%252fconsole.portal (CVE-2020-14882/14883), and other exploit paths (e.g., /wls-wsat/CoordinatorPortType, /console/css/%2e%2e%2fconsolejndi.portal).
[CVE ] targeted vulnerabilities – CVE-2026-21962, CVE-2020-14882/14883, and CVE-2020-2551 (plus CVE-2017-10271) observed in exploit attempts.
[User-Agent / Tool ] scanning signatures – libredtail-http (1,012 requests from 21 IPs), Nmap Scripting Engine (664 requests from 5 IPs) used for automated scanning and exploitation.
[Hosting Provider / Organization ] attacker infrastructure – HOSTGLOBAL.PLUS LTD (high request volume), DigitalOcean, LLC (many unique IPs) used to launch scans and exploit attempts.